About syslog channels

A syslog channel allows the Venafi Log server to send log messages to any log aggregation or analyzer solution that supports the syslog protocol. Instead of a local timezone, log messages contain the GMT/UTC timestamp from the Trust Protection Platform server.

Trust Protection Platform version 19.3 introduced two new message formats—Common Event Format (CEF) and JSON—and can now support encrypted (TLS) connections to remote syslog servers. The legacy BSD format remains available.

All Venafi Log server messages include a severity code, which aligns with standard syslog severity codes. For example, 3 represents an error, 4 represents a warning, etc. Also, channel configuration settings lets administrators specify syslog facility codes.

About the CEF format

CEF, or Common Event Format, is a standardized logging format used by many network devices and applications. CEF logs contain information like the source and destination of an event, its severity, its event ID, and the message.

If the Syslog server records messages in the CEF format, the timestamps are recorded as local server time. If you are working with servers in multiple timezones, you need to be aware that per the CEF specification, dates are recorded in UTF format.

About the JSON format

If the Syslog server records messages in the JSON format, the timestamps are local time. When you select JSON as the message body format, it uses the following pattern: 

{
   "time_stamp":"<Event.ClientTime>",
   "name":"<Event Description from Log Schema>",
   "event_id":"<Event.ID>",
   "severity":"<Event.Severity>",
   "dvc_ip":"<Event.SourceIP>",
   "object":"<Event.Component>",
   "object_id":"<Event.ComponentId>",
   "object_subsystem":"<Event.ComponentSubsystem>",
   "text1":{
      "name":<Text1 Title from Log Schema>,
      "value":<Event.Text1>
   },
   "text2":{
      "name":<Text2 Title from Log Schema>,
      "value":<Event.Text2>
   },
   "value1":{
      "name":<Value1 Title from Log Schema>,
      "value":<Event.Value1>
   },
   "value2":{
      "name":<Value2 Title from Log Schema>,
      "value":<Event.Value2>
   },
   "grouping":{
      "name":"<Grouping Title from Log Schema>",
      "value":"<Event.Grouping>"
   },
   "data":{
      "name":"<Data Title from Log Schema>",
      "value":"<Event.Data>"
   }
}

About the BSD format

The legacy Berkeley Software Distribution (BSD) format continues to be supported. If the Syslog server records messages in the BSD format, the timestamps are GMT/UTC time. For more information about BSD, see https://tools.ietf.org/html/rfc3164.

About TLS

Syslog channel driver can establish secure (encrypted) connection over TLS to the remote destination.